[PATCH v2 1/1] UBUNTU: SAUCE: tcp: Correct the backport of the CVE-2018-5390 fix

[Tyler Hicks]

The backport of upstream commit 3d4bf93ac120 ("tcp: detect malicious
patterns in tcp_collapse_ofo_queue()") didn't correctly reset
range_truesize when moving on to a new range and didn't increase
range_truesize when operating within a range.

CVE-2018-5390

Fixes: 8a668da92a76 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 net/ipv4/tcp_input.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index ab79331a510e..e9cb861e7289 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4636,8 +4636,9 @@ static void tcp_collapse_ofo_queue(struct sock *sk)
 			/* Start new segment */
 			start = TCP_SKB_CB(skb)->seq;
 			end = TCP_SKB_CB(skb)->end_seq;
-			range_truesize += skb->truesize;
+			range_truesize = skb->truesize;
 		} else {
+			range_truesize += skb->truesize;
 			if (before(TCP_SKB_CB(skb)->seq, start))
 				start = TCP_SKB_CB(skb)->seq;
 			if (after(TCP_SKB_CB(skb)->end_seq, end))
-- 
2.7.4